Cayin Signage Media Player 3.0 Root Remote Command Injection

Title: Cayin Signage Media Player 3.0 Root Remote Command Injection
Advisory ID: ZSL-2020-5569
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2020
CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work.
CAYIN SMP-xxxx suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP GET parameter in system.cgi and wizard_system.cgi pages.
CAYIN Technology Co., Ltd. -
Affected Version
SMP-8000QD v3.0
SMP-8000 v3.0
SMP-6000 v3.0 Build 19025
SMP-6000 v1.0 Build 14246
SMP-6000 v1.0 Build 14199
SMP-6000 v1.0 Build 14167
SMP-6000 v1.0 Build 14097
SMP-6000 v1.0 Build 14090
SMP-6000 v1.0 Build 14069
SMP-6000 v1.0 Build 14062
SMP-4000 v1.0 Build 14098
SMP-4000 v1.0 Build 14092
SMP-4000 v1.0 Build 14087
SMP-2310 v3.0
SMP-2300 v3.0 Build 19316
SMP-2210 v3.0 Build 19025
SMP-2200 v3.0 Build 19029
SMP-2200 v3.0 Build 19025
SMP-2100 v10.0 Build 16228
SMP-2100 v3.0
SMP-2000 v1.0 Build 14167
SMP-2000 v1.0 Build 14087
SMP-1000 v1.0 Build 14099
SMP-PROPLUS v1.5 Build 10081
SMP-WEBPLUS v6.5 Build 11126
SMP-WEB4 v2.0 Build 13073
SMP-WEB4 v2.0 Build 11175
SMP-WEB4 v1.5 Build 11476
SMP-WEB4 v1.5 Build 11126
SMP-WEB4 v1.0 Build 10301
SMP-300 v1.0 Build 14177
SMP-200 v1.0 Build 13080
SMP-200 v1.0 Build 12331
SMP-PRO4 v1.0
SMP-NEO2 v1.0
SMP-NEO v1.0
Tested On
CAYIN Technology KT-Linux v0.99
Apache/1.3.42 (Unix)
Apache/1.3.41 (Unix)
Linux 2.6.37
Vendor Status
[15.05.2020] Vulnerability discovered.
[23.05.2020] Vendor contacted.
[25.05.2020] Vendor responds asking more details.
[25.05.2020] Sent details to the vendor.
[04.06.2020] No response from the vendor.
[04.06.2020] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <>
[04.06.2020] - Initial release
[05.06.2020] - Added reference [1], [2] and [3]
[22.06.2020] - Added reference [4]
Zero Science Lab